On 04/18/2018 12:41 PM, Matt Riedemann wrote:
There is a compute REST API change proposed [1] which will allow users
to pass trusted certificate IDs to be used with validation of images
when creating or rebuilding a server. The trusted cert IDs are based on
certificates stored in some key manager, e.g. Barbican.
The full nova spec is here [2].
The main concern I have is that trusted certs will not be supported for
volume-backed instances, and some clouds only support volume-backed
instances.
Yes. And some clouds only support VMWare vCenter virt driver. And some
only support Hyper-V. I don't believe we should delay adding good
functionality to (large percentage of) clouds because it doesn't yet
work with one virt driver or one piece of (badly-designed) functionality.
> The way the patch is written is that if the user attempts to
boot from volume with trusted certs, it will fail.
And... I think that's perfectly fine.
In thinking about a semi-discoverable/configurable solution, I'm
thinking we should add a policy rule around trusted certs to indicate if
they can be used or not. Beyond the boot from volume issue, the only
virt driver that supports trusted cert image validation is the libvirt
driver, so any cloud that's not using the libvirt driver simply cannot
support this feature, regardless of boot from volume. We have added
similar policy rules in the past for backend-dependent features like
volume extend and volume multi-attach, so I don't think this is a new
issue.
Alternatively we can block the change in nova until it supports boot
from volume, but that would mean needing to add trusted cert image
validation support into cinder along with API changes, effectively
killing the chance of this getting done in nova in Rocky, and this
blueprint has been around since at least Ocata so it would be good to
make progress if possible.
As mentioned above, I don't want to derail progress until (if ever?)
trusted certs achieves this magical
works-for-every-driver-and-functionality state. It's not realistic to
expect this to be done, IMHO, and just keeps good functionality out of
the hands of many cloud users.
Just my 2 cents.
-jay
[1] https://review.openstack.org/#/c/486204/
[2]
https://specs.openstack.org/openstack/nova-specs/specs/rocky/approved/nova-validate-certificates.html
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
